Recommendation: To improve the awareness of how risk-significant radioactive sources are transported within the United States and to better determine whether Nuclear Regulatory Commission (NRC) is meeting its goal of providing reasonable assurance for preventing the theft or diversion of these dangerous materials, the Chairman of NRC should take actions to collect information from licensees on the number of shipments and mode of transport for such sources--for example, by identifying the extent to which an existing NRC database (e.g., the National Source Tracking System) may be used to capture this information.

Agency: Nuclear Regulatory Commission
Status: Open

Comments: In its February 26, 2018 report to Congress on actions NRC has taken in response to GAO recommendations, NRC continued to disagree with the recommendation to expand its existing data collection requirements or to transition such information from its existing NRC databases to the NSTS. NRC stated that, as required by 10 CFR Part 37, "Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material," the NRC currently collects the number of shipments and mode of transport for domestic transfers, and the import and export of Category 1 quantities of radioactive material. Additionally, under the provisions of 10 CFR Part 110, "Export and Import of Nuclear Material," the NRC stated that it collects the number of shipments and mode of transport for the import and export of shipments containing Category 2 or higher quantities of radioactive material. The NRC stated that it is the agency's position that the current information collected provides the NRC with an understanding of the potential modes of transport for Category 1 and 2 quantities of radioactive material and existing regulatory requirements provide robust protection for all such modes. The NRC stated that it does not consider the proposed additional information collection activity to be of sufficient safety or security benefit to justify the associated regulatory actions it would require. In August 2019, and again in August 2020, the NRC reaffirmed its disagreement with this recommendation and that it did not intend to take action to implement it. Despite its disagreement with this recommendation, we will continue to monitor whether NRC takes any actions that would result in addressing the concern GAO raised.

Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. As of June 2020, OMB has not provided sufficient evidence that it has implemented this recommendation. We will continue to monitor OMB's implementation of this recommendation.

Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of Defense
Status: Open

Comments: In response to our report, DOD partially concurred with our recommendation; however, DOD subsequently concurred with the recommendation and is taking steps to implement it. The department stated that the issuance of an updated Cyber Incident Handling guidance is on track to be completed and coordinated in the third quarter of fiscal year 2018. As of June 2020, it has not yet provided sufficient evidence that it has implemented the recommendation. When we confirm what actions DOD has taken, we will provide updated information.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with this recommendation. However, as of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. When we receive additional evidence from State, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. As of June 2020, NASA stated that the agency is working to update the relevant policy to address this recommendation, but the update is taking longer than expected; NASA expects the policy to be updated and the review process to be completed by November 30, 2020. We will examine the evidence when NASA provides it.